[SRU Bionic 2/2] fuse: fix live lock in fuse_iget()
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Wed Oct 13 19:18:56 UTC 2021
From: Amir Goldstein <amir73il at gmail.com>
Commit 5d069dbe8aaf ("fuse: fix bad inode") replaced make_bad_inode()
in fuse_iget() with a private implementation fuse_make_bad().
The private implementation fails to remove the bad inode from inode
cache, so the retry loop with iget5_locked() finds the same bad inode
and marks it bad forever.
kmsg snip:
[ ] rcu: INFO: rcu_sched self-detected stall on CPU
...
[ ] ? bit_wait_io+0x50/0x50
[ ] ? fuse_init_file_inode+0x70/0x70
[ ] ? find_inode.isra.32+0x60/0xb0
[ ] ? fuse_init_file_inode+0x70/0x70
[ ] ilookup5_nowait+0x65/0x90
[ ] ? fuse_init_file_inode+0x70/0x70
[ ] ilookup5.part.36+0x2e/0x80
[ ] ? fuse_init_file_inode+0x70/0x70
[ ] ? fuse_inode_eq+0x20/0x20
[ ] iget5_locked+0x21/0x80
[ ] ? fuse_inode_eq+0x20/0x20
[ ] fuse_iget+0x96/0x1b0
Fixes: 5d069dbe8aaf ("fuse: fix bad inode")
Cc: stable at vger.kernel.org # 5.10+
Signed-off-by: Amir Goldstein <amir73il at gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi at redhat.com>
(cherry picked from commit 775c5033a0d164622d9d10dd0f0a5531639ed3ed)
CVE-2021-28950
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
---
fs/fuse/fuse_i.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
index 0ffee42c2587..41a1e4691db7 100644
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -695,6 +695,7 @@ static inline u64 get_node_id(struct inode *inode)
static inline void fuse_make_bad(struct inode *inode)
{
+ remove_inode_hash(inode);
set_bit(FUSE_I_BAD, &get_fuse_inode(inode)->state);
}
--
2.30.2
More information about the kernel-team
mailing list